Description

This article describes various troubleshooting steps that can be taken to fix an issue where configuring FortiGate as DHCP server to do the DDNS update on a DNS server does not work as expected.

Scope

FortiGate.

Solution

1. Check if the FortiGate is receiving the DHCP Request with the option: (81) Client Fully Qualified Domain Name. This can be checked by taking a packet capture on the FortiGate GUI or CLI on the interface where the DHCP client is connected. 
   To take packet capture, refer to this article.
   
2. In Option 81, the 'S' bit in the flag field must be set to 1 if the Client wants the server to perform the DNS update.

See this document.

Option: (81) Client Fully Qualified Domain Name
Length: 16
Flags: 0x00
0000 .... = Reserved flags: 0x0
.... 0... = Server DDNS: Some server updates
.... .0.. = Encoding: ASCII encoding
.... ..0. = Server overrides: No override
.... ...0 = Server: Client  <--S bit
A-RR result: 0
PTR-RR result: 0
Client name: AB81-xxxx

The format of the 1-octet Flags field is:

0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
| MBZ |N|E|O|S|
+-+-+-+-+-+-+-+-+

3. If the S bit is not set, then:
   1. The client is going to perform the update, OR:
   2. The server will inform the client in DHCP ACK that the server will perform the DNS update.

4. Check DHCP ACK from the DHCP server and see if the 'S' bit is set to '1'. If 'S' bit is set in Option 81 of DHCP ACK, the DHCP server is responsible for performing the Dynamic DNS update on the DNS server.

See this document.

5. Check dhcps debugs on the FortiGate and look for DHCP ACK from the DHCP server (FortiGate interface).

Based on the 'S' bit, the FortiGate should determine that it has to update the DNS server with an A record. The following debugs can be expected in that case.

2024-10-17 15:02:04 [debug][dhcpd_ddns_update:1626] DHCP server will be sending a DDNS update with an ID 954 for DHCP client, 6c:4b:90:xx:xx:xx.
2024-10-17 15:02:04 [note]DHCPACK on 10.130.51.60 to 6c:4b:90:xx:xx:xx via lan1(ethernet)

DHCPS Debugs - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Diagnosing-DHCP-on-a-FortiGate/ta-p/192960

6. Check DNS traffic in the sniffer taken on FortiGate’s interface where DNS server is connected. The FortiGate should generate Dynamic DNS Update and send it to the DNS server. If the update is successful, Dynamic DNS Update Response is seen from the DNS server. The following is an example for a successful DNS update where 10.0.0.1 is FortiGate’s interface and 10.0.0.56 is the DNS server.
   

  2024-10-09 10:48:22.633701  10.0.0.1  10.0.0.56  DNS  156              Dynamic update 0x000d SOA example.com A A 10.0.56.2
  2024-10-09 10:48:22.634712  10.0.0.56  10.0.0.1  DNS  156              Dynamic update response 0x000d SOA example.com A A 10.0.56.2

See this article for instructions on packet capture.

Related document:
Technical Tip: Configure DDNS update override in FortiGate DHCP server